HSTS wraps the provided handler and sets Strict-Transport-Security header on responses. It inspects the Host header to ensure we do not specify HSTS response on non fully qualified domain name origins.
(h http.Handler)
| 392 | // responses. It inspects the Host header to ensure we do not specify HSTS |
| 393 | // response on non fully qualified domain name origins. |
| 394 | func HSTS(h http.Handler) http.Handler { |
| 395 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| 396 | host, found := r.Header["Host"] |
| 397 | if found { |
| 398 | host := host[0] |
| 399 | fqdn, err := dnsname.ToFQDN(host) |
| 400 | if err == nil { |
| 401 | segCount := fqdn.NumLabels() |
| 402 | if segCount > 1 { |
| 403 | w.Header().Set("Strict-Transport-Security", "max-age=31536000") |
| 404 | } |
| 405 | } |
| 406 | } |
| 407 | h.ServeHTTP(w, r) |
| 408 | }) |
| 409 | } |
| 410 | |
| 411 | // serverHandler returns the main http.Handler for serving all requests. |
| 412 | func serveHandler() http.Handler { |
no outgoing calls